This WordPress blog was hacked for few hours on 24th December (nice Christmas present!) from Russia.这WordPress所博客被侵,为几个小时,就12月24日(尼斯的圣诞礼物! )来自俄罗斯。 The hacker exploited several WordPress vulnerabilities in administrative scripts to gain full access to the website (as permitted to apache user), including the ability to upload & run scripts, delete any file owned by apache user, view the file and directories etc. This is a full disclosure on the how the site was hacked and how I detected and removed the hack along with few comments on the state of WordPress security.黑客利用数的WordPress的弱点行政脚本要获得完全访问网站(如允许Apache用户) ,包括能力上载&运行脚本,删除任何文件所拥有的Apache用户,查看文件和目录等,这是一,充分披露就如何网站被侵,和我如何检测并删除该哈克随着一些意见,对国家WordPress的安全。 I added a WordPress plugin and made modifications to prevent any such hacking attempts in future using WordPress.我已将1 wordpress插件和作出修改,以防止任何这类黑客企图在未来使用的WordPress 。 This is a must read for WordPress bloggers.这是一个必须读的WordPress博客。


How the site hacking was detected?如何网站被黑客入侵检测?

The website was normal.该网站是正常的。 However when I tried to publish or even save a post, it simply showed a blank page.但是当我尝试发布或什至保存后,它只是显示一个空白页。 The post was never published or even saved.邮政从来没有出版或什至保存。 I knew something was wrong.我知道的东西是错误的。

My first suspect were couple of plugins which contacted external servers after a publish.我的第一嫌疑人被几个插件,其中接触外部服务器后发布。 I disabled them. i残疾人士。 I also disabled the ping sites as they were sometimes known to cause problems.我也残疾人士平的网站,因为他们有时也被称为会造成很多问题。 None of that helped.没有任何帮助。 I progressively disabled all of the plugins. i逐步停用所有的插件。 Even with all the plugins disabled, the post wouldn’t publish.即使所有的插件残疾人士,邮政将不会发布。 I was left with only one option.我只剩下只有一个选项。

I decided to trace WordPress code to find out the cause of error.我决定到微量的WordPress代码,找出原因的错误。 I started with the file for post submission - post.php.我开始与该文件后提交-p ost.php。 I found something startling with WordPress code which seriously undermines its security, a flawed design choice but more on it later.我发现一些惊人的WordPress与代码,其中,严重损害其安全,一个有缺陷的设计选择,但更多的后来。 post.php calls admin.php which calls wp-config.php which in turn calls wp-settings.php. post.php呼吁admin.php要求可湿性粉剂- config.php这反过来又要求可湿性粉剂- settings.php 。 wp-settings is an interesting file.可湿性粉剂-设置是一个有趣的文件。 This file isn’t just about settings.这个档案是不只是设置。 It loads tons of files, loads and executes the plugins and more.它加载吨的文件,加载和执行的插件和更多。 The problem was, as I originally suspected, in the plugins but which one?问题是,正如我原本怀疑,在该插件,但哪一个? The code which loads the plugins in WordPress is:守则加载插件在WordPress是: 

 if ( get_option('active_plugins') ) {  $current_plugins = get_option('active_plugins');  if ( is_array($current_plugins) ) {   foreach ($current_plugins as $plugin) { if (” != $plugin && file_exists(ABSPATH . PLUGINDIR . ‘/’ . $plugin))     include_once(ABSPATH . PLUGINDIR . ‘/’ . $plugin); }  } } 如果( get_option ( ' active_plugins ' ) ) (元current_plugins = get_option ( ' active_plugins ' ) ;如果( is_array ( $ current_plugins ) ) ( foreach ( $ current_plugins美元插件) ( 如果( “ ! = $插件& & file_exists ( abspath 。 plugindir 。 ' / ' 。元的plugin ) ) include_once ( abspath 。 plugindir 。 ' / ' 。元插件) ; ) ) )

The active plugins, as you can see, are loaded directly with include_once.积极插件,你可以看到,加载直接与include_once 。 How do I find the plugin which while loading is causing the script to die?我要如何找到插件,而其中装载是造成脚本来死呢?
I added simple syslog() statements before and after the plugin.我已将简单的系统记录( )声明之前和之后的插件。 However it generated copious output from all the traffic.但它产生的大量输出,从所有的交通。
Remember I was debugging on a heavily trafficked live site.记得我当时就调试一繁忙的生活网站。 So I added a define in post.php which I was checking before doing a syslog.所以我增加了一个界定在post.php ,我被检查之前,做了系统记录。 The debugging code was:调试代码是:
if (” != $plugin && file_exists(ABSPATH . ‘wp-content/plugins/’ . $plugin)) {如果( “ ! = $插件& & file_exists ( abspath 。 wp-content/plugins / ' 。元插件) ) (
if(defined(’TG_ADMIN’)) syslog(LOG_ALERT, “Loading $plugin…”);如果(定义( ' tg_admin ' ) )系统记录( log_alert , “插件加载元… … ” ) ;
include_once(ABSPATH . ‘wp-content/plugins/’ . $plugin); include_once ( abspath 。 wp-content/plugins / ' 。元插件) ;
if(defined(’TG_ADMIN’)) syslog(LOG_ALERT, “Loaded $plugin…”);如果(定义( ' tg_admin ' ) )系统记录( log_alert , “插件加载元… … ” ) ;
}

The result was surprising.结果是令人吃惊的。 The first plugin loaded was not even a plugin I knew existed, let alone use it.第一插件加载是甚至不是一个插件,我知道存在,更遑论使用它。 It was named ro8kbsmawge.txt.它被命名ro8kbsmawge.txt 。 The full path to the plugin was /../../../../../../../../../../../../../../../../../../tmp/ro8kbsmawge.txt完整路径插件是/../../../../../../../../../../../../../../ ../../../../tmp/ro8kbsmawge.txt
Effectively the file path was /tmp/ro8kbsmawge.txt.有效的文件路径是/ tmp/ro8kbsmawge.txt 。 A telltale sign of this hacker is the presence of the file ro8kbsmawge.txt in your tmp directory. 1 telltale的迹象,这是黑客的存在,该文件的ro8kbsmawge.txt在您的tmp的目录。

I renamed the file and the problem was solved for now. i更名文件和解决的问题是现在。 I could publish posts finally.我可以公布职位,最后。 However my site was still not secure against future attacks.不过我的网站仍然没有对未来的安全攻击。 I will detail next at how I secured my site and provide more information on the perpetrator and how the site was hacked in the first place.我稍后会详细阐述未来在我如何担保我的网站和提供更多资料,对犯罪行为人,以及如何网站被侵,摆在首位。

How the site was hacked using WordPress?如何网站被黑客入侵使用的WordPress ?

The site exploited a vulnerability in /wp-admin/options.php which allowed it to get the authentication cookies it required to upload the file ro8kbsmawge.txt to my /tmp directory using /wp-admin/inline-uploading.php.该网站利用的一个漏洞/ wp-admin/options.php允许它获得认证的Cookie ,它需要上传文件ro8kbsmawge.txt我/ tmp的目录使用/ wp-admin/inline-uploading.php 。 It then used /wp-admin/plugins.php to activate the ro8kbsmawge.txt as a plugin while using options-misc along the way.它然后用/ wp-admin/plugins.php启动ro8kbsmawge.txt作为一个插件,而使用选项-杂项在前进的道路上。

Finally the hacker accessed the site using his magic word piska233 and browsed few directories on my server before retiring for the day.最后,黑客进入该网站用他的魔术语piska233和浏览数的目录在我的伺服器上退休前为天。 All of these was done within a span of 3 minutes which leads to the conclusion that a script was used to exploit the holes and orchestrate the hacking.所有这些是做了一个大跨度的3分钟,从而导致的结论是,一个脚本是用来利用这些漏洞和协调黑客。

The full log, except the IP address 217.74.245.85 which was removed for redundancy, of hackers action on my site is:充分日志,除IP地址217.74.245.85 ,其中被删除冗余,黑客的行动对我的网站是:

[24/Dec/2007:07:40:22 -0600] “POST /wp-admin/options.php HTTP/1.0″ 200 1713 “http://blog.taragana.com/wp-admin/options.php” “Opera” [ 24/dec/2007 : 7时40分22秒-0600 ] “邮政/ wp-admin/options.php http/1.0 ”二○○一七一三“ http://blog.taragana.com/wp-admin/options.php ” “歌剧”
[24/Dec/2007:07:40:24 -0600] “POST /wp-admin/options.php HTTP/1.0″ 302 471 “http://blog.taragana.com/wp-admin/options.php” “Opera” [ 24/dec/2007 : 7时40分24秒-0600 ] “邮政/ wp-admin/options.php http/1.0 ”三○二四七一“ http://blog.taragana.com/wp-admin/options.php ” “歌剧”
[24/Dec/2007:07:40:26 -0600] “POST /wp-admin/inline-uploading.php?post=-1&action=upload HTTP/1.0″ 200 1645 “http://blog.taragana.com/inline-uploading.php?post=-1&action=upload” “Opera” [ 24/dec/2007 : 7时40分26秒-0600 ] “邮政/ wp-admin/inline-uploading.php ?邮政=- 1 &行动=上传http/1.0 ”二〇 〇一六四五“ http://blog.taragana.com /内插- uploading.php ?邮政=- 1 &行动=上传“ , ”戏曲“
[24/Dec/2007:07:40:29 -0600] “POST /wp-admin/inline-uploading.php?post=-1&action=upload HTTP/1.0″ 200 142 “http://blog.taragana.com/inline-uploading.php?post=-1&action=upload” “Opera” [ 24/dec/2007 : 7时40分29秒-0600 ] “邮政/ wp-admin/inline-uploading.php ?邮政=- 1 &行动=上传http/1.0 ” 200 142 “ http://blog.taragana.com /内插- uploading.php ?邮政=- 1 &行动=上传“ , ”戏曲“
[24/Dec/2007:07:40:52 -0600] “POST /wp-admin/options.php HTTP/1.0″ 200 1713 “http://blog.taragana.com/wp-admin/options.php” “Opera” [ 24/dec/2007 : 7时40分52秒-0600 ] “邮政/ wp-admin/options.php http/1.0 ”二○○一七一三“ http://blog.taragana.com/wp-admin/options.php ” “歌剧”
[24/Dec/2007:07:40:54 -0600] “POST /wp-admin/options.php HTTP/1.0″ 302 471 “http://blog.taragana.com/wp-admin/options.php” “Opera” [ 24/dec/2007 : 7时40分54秒-0600 ] “邮政/ wp-admin/options.php http/1.0 ”三○二四七一“ http://blog.taragana.com/wp-admin/options.php ” “歌剧”
[24/Dec/2007:07:40:57 -0600] “POST /wp-admin/inline-uploading.php?post=-1&action=upload HTTP/1.0″ 200 1645 “http://blog.taragana.com/inline-uploading.php?post=-1&action=upload” “Opera” [ 24/dec/2007 : 7时40分57秒-0600 ] “邮政/ wp-admin/inline-uploading.php ?邮政=- 1 &行动=上传http/1.0 ”二〇 〇一六四五“ http://blog.taragana.com /内插- uploading.php ?邮政=- 1 &行动=上传“ , ”戏曲“
[24/Dec/2007:07:41:11 -0600] “GET /wp-admin/options-misc.php HTTP/1.1″ 200 7764 “-” “Opera/9.24 (Windows NT 5.1; U; ru)” [ 24/dec/2007 : 7时41分11秒-0600 ] “获取/ wp-admin/options-misc.php http/1.1 ”二〇 〇七七六四“ -” “ o pera/9.24(在W indowsN T5 .1; u ;茹) ”
[24/Dec/2007:07:41:15 -0600] “GET /wp-admin/wp-admin.css?version=2.0.7 HTTP/1.1″ 304 - “http://blog.taragana.com/wp-admin/options-misc.php” “Opera/9.24 (Windows NT 5.1; U; ru)” [ 24/dec/2007 : 7时41分15秒-0600 ] “获取/ wp-admin/wp-admin.css ?版本= 2.0.7 http/1.1 ” 304 -“ h ttp://blog.taragana.com/ wp-admin/options-misc.php “ , ” opera/9.24 (在Windows NT 5.1 ; u ;茹) “
[24/Dec/2007:07:41:15 -0600] “GET /wp-includes/js/fat.js HTTP/1.1″ 304 - “http://blog.taragana.com/wp-admin/options-misc.php” “Opera/9.24 (Windows NT 5.1; U; ru)” [ 24/dec/2007 : 7时41分15秒-0600 ] “获取/ wp-includes/js/fat.js http/1.1 ” 304 -“ h ttp://blog.taragana.com/wp-admin/options- misc.php “ , ” opera/9.24 (在Windows NT 5.1 ; u ;茹) “
[24/Dec/2007:07:41:12 -0600] “POST /wp-admin/inline-uploading.php?post=-1&action=upload HTTP/1.0″ 302 - “http://blog.taragana.com/inline-uploading.php?post=-1&action=upload” “Opera” [ 24/dec/2007 : 7时41分12秒-0600 ] “邮政/ wp-admin/inline-uploading.php ?邮政=- 1 &行动=上传http/1.0 ” 302 -“ h ttp://blog.taragana.com /内插- uploading.php ?邮政=- 1 &行动=上传“ , ”戏曲“
[24/Dec/2007:07:41:21 -0600] “GET /wp-admin/plugins.php?action=activate&plugin=/../../../../../../../../../../../../../../../../../../tmp/ro8kbsmawge.txt&_wpnonce= HTTP/1.1″ 200 1474 “http://blog.taragana.com/wp-admin/plugins.php?action=activate&plugin=/../../../../../../../../../../../../../../../../../../tmp/ro8kbsmawge.txt” “Opera” [ 24/dec/2007 : 7时41分21秒-0600 ] “获取/ wp-admin/plugins.php ?行动=激活&插件=/../../../../../../. ./../../../../../../../../../../../tmp/ro8kbsmawge.txt & _wpnonce = http/1.1 “二〇 〇一四七四的” HTTP : / / blog.taragana.com /可湿性粉剂-政府当局/ plugins.php ?行动=激活&插件=/../../../../../../../../../.. /../../../../../../../../ tmp/ro8kbsmawge.txt “ , ”戏曲“
[24/Dec/2007:07:41:23 -0600] “GET /wp-admin/plugins.php?action=activate&plugin=/../../../../../../../../../../../../../../../../../../tmp/ro8kbsmawge.txt&_wpnonce=7b4c8019bd HTTP/1.1″ 302 - “http://blog.taragana.com/wp-admin/plugins.php?action=activate&plugin=/../../../../../../../../../../../../../../../../../../tmp/ro8kbsmawge.txt” “Opera” [ 24/dec/2007 : 7时41分23秒-0600 ] “获取/ wp-admin/plugins.php ?行动=激活&插件=/../../../../../../. ./../../../../../../../../../../../tmp/ro8kbsmawge.txt & _wpnonce = 7b4c8019bd http/1.1 “ 302 -”的H TTP : / / blog.taragana.com /可湿性粉剂-政府当局/ plugins.php ?行动=激活&插件=/../../../../../../../../../. ./../../../../../../../../tmp/ro8kbsmawge.txt “ , ”戏曲“
[24/Dec/2007:07:41:30 -0600] “GET /?piska23 HTTP/1.1″ 200 95716 “http://lamer/mwpep/?mode=shell&what=20″ “Opera/9.24 (Windows NT 5.1; U; ru)” [ 24/dec/2007 : 7时41分30秒-0600 ] “ / ? piska23 http/1.1 ”二〇 〇九五七一六“ http://lamer/mwpep/?mode=shell&what=20 ” , “ opera/9.24 (在Windows NT 5.1 ; u ;茹) “
[24/Dec/2007:07:41:36 -0600] “GET /?piska233 HTTP/1.1″ 200 15840 “-” “Opera/9.24 (Windows NT 5.1; U; ru)” [ 24/dec/2007 : 7时41分36秒-0600 ] “ / ? piska233 http/1.1 ” 200 1.584万“ -” “ o pera/9.24(在W indowsN T5 .1; u ;茹) ”
[24/Dec/2007:07:41:44 -0600] “POST /wp-admin/options.php HTTP/1.1″ 302 471 “http://blog.taragana.com/wp-admin/options-misc.php” “Opera/9.24 (Windows NT 5.1; U; ru)” [ 24/dec/2007 : 7时41分44秒-0600 ] “邮政/ wp-admin/options.php http/1.1 ”三○二四七一“ http://blog.taragana.com/wp-admin/options-misc 。 PHP的“ , ” opera/9.24 (在Windows NT 5.1 ; u ;茹) “
[24/Dec/2007:07:41:47 -0600] “POST /wp-admin/options.php HTTP/1.1″ 302 471 “http://blog.taragana.com/wp-admin/options-misc.php” “Opera/9.24 (Windows NT 5.1; U; ru)” [ 24/dec/2007 : 7时41分47秒-0600 ] “邮政/ wp-admin/options.php http/1.1 ”三○二四七一“ http://blog.taragana.com/wp-admin/options-misc 。 PHP的“ , ” opera/9.24 (在Windows NT 5.1 ; u ;茹) “
[24/Dec/2007:07:41:55 -0600] “GET /?piska233&dira=/tmp HTTP/1.1″ 200 9930 “-” “Opera/9.24 (Windows NT 5.1; U; ru)” [ 24/dec/2007 : 7时41分55秒-0600 ] “ / ? piska233 & dira = / tmp的http/1.1 ”二〇 〇九九三〇 “ -” “ o pera/9.24(在W indowsN T5 .1; u ;茹) ”
[24/Dec/2007:07:41:54 -0600] “GET /wp-admin/options-misc.php?updated=true HTTP/1.1″ 200 7842 “http://blog.taragana.com/wp-admin/options-misc.php” “Opera/9.24 (Windows NT 5.1; U; ru)” [ 24/dec/2007 : 7时41分54秒-0600 ] “获取/ wp-admin/options-misc.php ?更新=真正的http/1.1 ”二○○七八四二“ http://blog.taragana.com/wp-政府当局/选项- misc.php “ , ” opera/9.24 (在Windows NT 5.1 ; u ;茹) “
[24/Dec/2007:07:42:36 -0600] “POST /index.php?piska233&dira=./ HTTP/1.1″ 200 36721 “http://blog.taragana.com/?piska233″ “Opera/9.24 (Windows NT 5.1; U; ru)” [ 24/dec/2007 : 7时42分36秒-0600 ] “邮政/的index.php ? piska233 & dira =. / http/1.1 ”二零零三六七二一“ http://blog.taragana.com/?piska233 ” , “ opera/9.24 (在Windows NT 5.1 ; u ;茹) “
[24/Dec/2007:07:43:23 -0600] “GET /index.php?piska233&dira=./wp-content/plugins/Wysi-Wordpress/themes/advanced/docs/es/images HTTP/1.1″ 200 6506 “-” “Opera/9.24 (Windows NT 5.1; U; ru)” [ 24/dec/2007 : 7时43分23秒-0600 ] “ /的index.php ? piska233 & dira =. / wp-content/plugins/wysi-wordpress/themes/advanced/docs/es/images http/1.1 ” 200 6506 “ -” “ o pera/9.24(在W indowsN T5 .1; u ;茹) ”
[24/Dec/2007:07:43:38 -0600] “GET /wp-content/plugins/Wysi-Wordpress/themes/advanced/docs/es/images HTTP/1.1″ 301 298 “-” “Opera/9.24 (Windows NT 5.1; U; ru)” [ 24/dec/2007 : 7时43分38秒-0600 ] “获取/ wp-content/plugins/wysi-wordpress/themes/advanced/docs/es/images http/1.1 ”三〇一二九八“ -” “ o pera/9.24 (在Windows NT 5.1 ; u ;茹) “
[24/Dec/2007:07:43:40 -0600] “GET /wp-content/plugins/Wysi-Wordpress/themes/advanced/docs/es/images/ HTTP/1.1″ 200 604 “-” “Opera/9.24 (Windows NT 5.1; U; ru)” [ 24/dec/2007 : 7时43分40秒-0600 ] “获取/ wp-content/plugins/wysi-wordpress/themes/advanced/docs/es/images / http/1.1 ”二〇 〇六〇四“ -” , “歌剧/ 9月24日(在Windows NT 5.1 ; u ;茹) “

The good news is that no harm was done.好消息是没有坏处的事。

WordPress security issues & design flaw在WordPress的安全问题与设计缺陷

The basic design flaw is that loading WordPress configuration (required for database access for authentication checks) loads wp-settings which loads tons of other PHP files as well as all the WordPress plugins and any hacks.基本设计缺陷,是加载的WordPress配置(所需的数据库访问进行验证检查)荷载可湿性粉剂-设置负荷吨的其他PHP文件,以及所有wordpress插件和任何黑客攻击。 All of these are done even before you have a chance to authenticate the user.所有这些都是做了,甚至之前,你有机会来验证用户。 This is extremely dangerous for administration scripts as it allows a hacker to pass arguments to and execute gazillions of WordPress files which may or may not have proper security checks in place.这是十分危险的,政府的脚本,因为它允许黑客通过的论据和执行gazillions WordPress的文件,这可能会或不会有适当的安全检查,在地方。 User authentication and entitlement should be done at the very beginning to prevent unauthenticated scripts from proceeding any further.用户认证和权利,应该做的事在一开始,以防止未经脚本,从程序的任何进一步。 To do that wp-config must be modified to not include wp-settings.这样做,可湿性粉剂-配置必须修改,以不包括可湿性粉剂-设置。 It should be separately included where required, even at the cost of redundancy.它应另行包括在有需要时,甚至不惜裁员。 Administration scripts (under wp-admin) requires only wp-config to get the database details to authenticate the user and identify its entitlements.政府当局脚本(下可湿性粉剂管理员) ,只需要可湿性粉剂-配置得到数据库的细节,以验证用户,并确定其应享权利。 After authentication the rest should be loaded.身份验证后,其余的应载入。 This flaw was exploited to get the authentication cookie details which was subsequently used.此瑕疵利用得到验证Cookie的细节,其后使用。 The exact exploit used in this case is hard to find from just server logs.确切的利用使用在这种情况下,是很难找到刚刚从服务器的日志。 However it was caused by late authentication problem as described above.不过,这是造成后期验证的问题,如上文所述。

There are were known issues with both options.php & upload script, some of which are detailed 被称为问题都options.php &上传脚本,其中有些详细 here这里 .

One of the challenges with WordPress is that security considerations was mostly an afterthought (feel free to disagree) which were latched on as WordPress became more and more popular.挑战之一,与在WordPress是安全方面的考虑主要是一种事后的(请随时同意) ,其中锁存对作为在WordPress变得越来越受欢迎。 You have to continuously update your WordPress to keep up with the latest patches.你必须不断更新您的WordPress ,以跟上最新的修补程序。

There are 71 reported security advisories in Secunia (22 reported in 2007) and 9 viruses based on WordPress (one from 2007).有71报道,安全警告在Secunia公司( 22报道,在2007年)和9病毒的基础上的WordPress ( 1从2007年开始) 。

Most likely the site was hacked using the cookies authentication vulnerability as detailed最有可能的该网站被侵,使用Cookie的身份验证漏洞详细 here这里 .

Several WordPress plugins and themes also have security advisories:几个wordpress插件和主题也有安全警告:
- AdSense-Deluxe 0.x (plugin for WordPress) -A dSense的豪华0 .x(插件的W ordPress)
- AndyBlue 1.x (theme for WordPress) -a ndyblue1 .x(主题的W ordPress)
- Blix 0.x (theme for WordPress) -布利克斯0 .x(主题的W ordPress)
- Blixed 1.x (theme for WordPress) -b lixed1 .x(主题的W ordPress)
- BlixKrieg 2.x (theme for WordPress) -b lixkrieg2 .x的(主题的W ordPress)
- Blue Memories 1.x (theme for WordPress) -蓝色的回忆, 1 .x(主题的W ordPress)
- myGallery 1.x (plugin for WordPress) -m ygallery1 .x(插件的W ordPress)
- PictPress 1.x (plugin for WordPress) -p ictpress1 .x(插件的W ordPress)
- Pool 1.x (theme for Wordpress) -泳池1 .x(主题的W ordPress)
- Redoable 1.x (theme for WordPress) -r edoable1 .x(主题的W ordPress)

You can read all the Secunia advisories on WordPress您可以阅读所有Secunia公司警告,就在WordPress here这里 .

Who was the hacker?谁是黑客?

The IP address of the user responsible for hacking my site is 217.74.245.85 . IP地址,该用户负责黑客入侵我的网站是217.74.245.85 The IP address belongs to KUBANGSM-NET: IP地址是属于kubangsm网: 

 % Information related to '217.74.245.0/24AS29497'  route:          217.74.245.0/24 descr:          KUBANGSM-NET origin:         AS29497 mnt-by:         KUBANGSM-MNT source:         RIPE # Filtered %相关信息'217 .74.245.0/24as29497 '路线: 217.74.245.0/24 descr : kubangsm网来源: as29497产妇和新生儿破伤风- : kubangsm -产妇和新生儿破伤风资料来源:成熟#过滤

It is owned by:这是所拥有的: 

 person:       Volkov Denis address:      61, Gimnazicheskaya str.人:沃可夫丹尼斯地址: 61 , gimnazicheskaya个STR 。 350000, Krasnodar, Russia phone:        +7 8612 660126 fax-no:       +7 8612 401505 e-mail:       d.volkov@kuban.mts.ru nic-hdl:      VD370-RIPE source:       RIPE # Filtered 350000 ,克拉斯诺达尔,俄罗斯电话:七八六一二六六零一二六传真:七八六一二四〇一五〇五电子邮箱: d.volkov @ kuban.mts.ru的NIC -高密度脂蛋白: vd370 -成熟,资料来源:成熟#过滤

Their website is他们的网站是 http://www.kuban.mts.ru/ . They appear to be legitimate mobile & internet service provider.他们似乎是合法的手机与互联网服务提供商。 Most likely their internet service is being abused by the spammer.最有可能他们的互联网服务被滥用,由垃圾邮件发送者。 Nevertheless I decided to不过,我决定 ban this IP address from accessing my server禁止此IP地址访问我的服务器 .

The hacker was most likely using Opera 9.24 browser (almost latest version) on Windows XP (NT 5.1).黑客是最有可能使用Opera 9.24浏览器(几乎是最新版本)的Windows XP (新台币5.1 ) 。 While user agent can be faked, there is no reason to suspect so in this case.而用户代理可以伪造,实在没有理由怀疑,所以在这种情况下。 The user agent string also shows that he was using the russian language file of Opera.该用户代理字符串也表明,他用俄语语言文件的歌剧。

魔术壳评论截图

Anatomy of the hacking script解剖黑客脚本

The hacking script is a php script with aa nice comment and TODO line:黑客脚本是一个PHP脚本与机管局很好的意见和TODO的路线:
/*Magic Include Shell by Mag icq 884888*/ / *魔术包括壳评论的ICQ 884888 * /
//TODO: ñëèòü ôàéëî íà ñâîé ôòï (!) / /待办事项: ñëèòü ôàéëî íà ñâîé ôòï ( ! )

Effectively it is a file manager, probably adapted from any of the free php file manager’s on the net.有效这是一个档案管理员,可能是改编自任何免费的PHP文件经理人的就净。 It allows you to:它可以让您:

  • Browse directories and files浏览目录和文件
  • Edit files编辑文件
  • Rename files重新命名档案
  • Delete files删除档案
  • zip & unzip files邮编及解压缩文件
  • Upload & download files & directories上传及下载文件和目录
  • Execute arbitrary PHP scripts执行任意PHP脚本
  • Execute arbitrary shell commands执行任意命令
  • Provides basic server, system & PHP information提供基本的服务器,系统& PHP的信息

The bulk of the code is executed when it receives a particular query string to a normal HTTP GET request.大部份的程式码执行当它收到,尤其是查询字符串到一个正常的HTTP GET请求。 So while http://blog.taragana.com/ will work as usual, http://blog.taragana.com/?piska233 will open with this magical hidden shell which will expose your entire website to an outside hacker.因此,虽然http://blog.taragana.com/将照常上班, http://blog.taragana.com/?piska233将打开这个魔法隐藏壳牌将揭露您的整个网站向外部黑客。
Note: There is nothing magical about piska233.注意:没有什么神奇的约piska233 。 It is a password which was most likely allowed to be chosen and given as input to the original script which injected this trojan horse on my site.这是一个密码,这是最有可能允许选择和考虑投入到原来的脚本注入这个特洛伊木马在我的网站上。

A trojan which protects itself against worms…一种木马程式,以保护自己免受蠕虫…

The trojan takes steps to protect itself against worm!特洛伊木马病毒采取措施,保护自己免受蠕虫! The code at the end which is always executed is:该守则在去年底,这始终是执行的是:

$post_arr=implode('.',$_POST); 元post_arr = implode ('.',$_后) ;
$get_arr=implode('.',$_GET); 元get_arr = implode ('.',$_获得) ;
$cook_arr=implode('.',$_COOKIE); 元cook_arr = implode ('.',$_的Cookie ) ;
$post_arr_key=implode('.',@array_flip($_POST)); 元post_arr_key = implode ('.',@ array_flip (全局变量$ _POST ) ) ;
$get_arr_key=implode('.',@array_flip($_GET)); 元get_arr_key = implode ('.',@ array_flip ( $ _get ) ) ;
$cook_arr_key=implode('.',@array_flip($_COOKIE)); 元cook_arr_key = implode ('.',@ array_flip ( $ _cookie ) ) ;
$other_shtuki=@file_get_contents('php://input'); 元other_shtuki = @ file_get_contents ( ' PHP中: / /输入' ) ;
$cracktrack = strtolower($post_arr.$get_arr.$cook_arr.$post_arr_key.$get_arr_key.$cook_arr_key.$other_shtuki); 元cracktrack = strtolower ( $ post_arr 。元get_arr 。元cook_arr 。元post_arr_key 。元get_arr_key 。元cook_arr_key 。 other_shtuki元) ;
$wormprotector = array('base64','user_pass','union','select','substring','or id='); 元wormprotector =阵列( '的base64 ' , ' user_pass ' , '联盟' , '选择' , '子' , '或id = ' ) ;
$checkworm = str_replace($wormprotector, '*', $cracktrack); 元checkworm = str_replace ( $ wormprotector , ' * ' ,元cracktrack ) ;
if ($cracktrack != $checkworm) die(""); 如果美元( cracktrack ! = $ checkworm ) 模具("");

It checks for certain keywords (in $wormprotector array) within GET, POST & COOKIE data.检查某些关键字(在元wormprotector阵列)获得,邮政& Cookie数据。 When they are present it simply aborts.当他们目前只是中止。 This is one of the means to detect the current version of the script.这是手段之一,检测当前版本的脚本。 This is also the reason why it failed to submit a post.这亦是原因未能提交后。 An url such as this would also die - http://localhost/wordpress/?select as would http://localhost/wordpress/?base64.一网址,如这也将模具-h ttp://localhost/wordpress/?select作为将h ttp://localhost/wordpress/?base64。
However there is nothing to be happy about.但是有没有什么可高兴的事情。 It will take less than a minute to modify the script and make it immune to detection in WordPress.它会采取不到一分钟修改脚本,使免疫检测在WordPress 。

How to protect your WordPress site from hacking?如何保护您的WordPress网站的黑客呢?

You can protect your administration scripts (scripts under wp-admin), where most attacks originate including this one, by restricting access to your admin scripts to specific IP address or IP address range.您可以保护您的政府当局脚本(脚本下可湿性粉剂管理员) ,其中大多数攻击是源自包括本一,通过限制访问您的政府当局脚本特定的IP地址或IP地址范围。 You can also add a basic authentication on top of WordPress by using your httpd.conf file or .htaccess.您还可以添加一个基本的验证,顶端WordPress的使用您的httpd.conf文件或。 htaccess的。 This adds a layer of security which any hacker will have to overcome before he gets to your WordPress vulnerabilities.这增加了一层的安全,其中的任何骇客,将要克服之前,他得到您的WordPress的脆弱性。

WordPress should be upgraded as regularly as possible. WordPress所应升格为定期尽可能。 However that is easier said than done.不过,说起来容易做起来。 Normally I prefer to wait a few versions before the new versions stabilize.通常我宁愿等待几个版本之前,新版本的稳定。

WordPress security vulnerabilities affects every one of us, WordPress based bloggers.在WordPress的安全漏洞影响到我们每个人,在WordPress基于博客。 While I was fully aware of the possibilities and even thought of writing a plugin to address these issues before, I decided to wait (and address more urgent issues or so I thought) relying on the law of probability to protect my sites; after all there are several million WordPress blogs out there, how much chance of being targeted by a hacker?虽然我充分认识到的可能性,甚至想过写一插件,以解决这些问题之前,我决定等待(和地址,更迫切的问题或所以我以为) ,依靠法律的概率,以保护我的网站;毕竟有是几百万WordPress Blogs的,有多少机会被所针对的黑客? Well, as it turns out, I was wrong.那么,作为原来,我是错的。
To simplify securing WordPress, I have created a plugin, to be released soon, which leverages these ideas and more to secure your WordPress installations.为了简化,确保在WordPress ,我创建了一个插件,被释放不久,利用这些想法和更多的安全您的WordPress设施。 It works with your .htaccess but it also works even when .htaccess facility is not available.它与您的。 htaccess的但它也有工程,甚至当。 htaccess的设施无法使用。 I have already started using it on my blogs.我已开始使用,这对我的Blog 。